If your local client has already been configured, you can create a test certificate by running the step ca certificate command. Here is an example:

step ca certificate myservice myservice.crt myservice.key \\
 --san myservice.internal.mycompany.net \\
 --not-after 8h

In this command, we are asking the CA to create a certificate with the following properties

myservice - The certificate's subject

myservice.crt - Save the certificate in a file with this name

myservice.key - Save the key in a file with this name

  • --san myservice.internal.mycompany.net - Add an additional SAN to the certificate, with the specified value
  • --not-after 8h - Set the certificate to expire after 8 hours

When you run this command, smallstep will need to authenticate you, so it will make a call to the authority-admin provisioner and start a single sign-on flow via the Smallstep dashboard. After a successful sign-in, the authority will issue the certificate at the command line.

NOTE: If you have created additional provisioners you may see them appear during the “authentication” step. authority-admin is the only provisioner used to validate a user to smallstep. If instead, you want to create a certificate using a different provisioner, use the —provisioner parameter when making the certificate request.